Difference between revisions of "Systemd debian"

From Teknologisk videncenter
Jump to: navigation, search
(Created page with " =Links= *[https://wiki.debian.org/systemd/Services debian.org Create Service] *[https://medium.com/@benmorel/creating-a-linux-service-with-systemd-611b5c8b91d6 Eksempel på...")
 
m (Dependencies)
 
(15 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
*Scriptfiles in /lib/systemd/system - See exampels of servicefiles there - add your own new system service:
 +
<source lang=bash>
 +
...:~$ sudo systemd-analyze verify YOUR_SERVICEFILE
 +
...:~$ sudo systemctl daemon-reload
 +
...:~$ sudo systemctl enable YOUR_SERVICEFILE
 +
...:~$ sudo systemctl YOUR_SERICEFILE
 +
</source>
 +
=Often used=
 +
<source lang=bash>
 +
# systemctl start [name.service]
 +
# systemctl stop [name.service]
 +
# systemctl restart [name.service]
 +
# systemctl reload [name.service]
 +
$ systemctl status [name.service]
 +
# systemctl is-active [name.service]
 +
$ systemctl list-units --type service --all
 +
$ systemctl show [name.service]
 +
</source>
 +
=Dependencies=
  
 +
<source lang=bash>
 +
systemctl list-dependencies
 +
</source>
 +
=Security=
 +
<source lang=bash>
 +
# systemd-analyze security
 +
UNIT                                    EXPOSURE PREDICATE HAPPY
 +
ModemManager.service                          6.2 MEDIUM    😐
 +
accounts-daemon.service                      9.6 UNSAFE    😨
 +
apache2.service                              9.2 UNSAFE    😨
 +
apport.service                                9.6 UNSAFE    😨
 +
atd.service                                  9.6 UNSAFE    😨
 +
cron.service                                  9.6 UNSAFE    😨
 +
dbus.service                                  9.6 UNSAFE    😨
 +
dm-event.service                              9.5 UNSAFE    😨
 +
.....
 +
 +
# systemd-analyze security apache2
 +
  NAME                                                        DESCRIPTION                                                            EXPOSURE
 +
✗ PrivateNetwork=                                            Service has access to the host's network                                    0.5
 +
✗ User=/DynamicUser=                                          Service runs as root user                                                    0.4
 +
✗ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP)                Service may change UID/GID identities/capabilities                          0.3
 +
✗ CapabilityBoundingSet=~CAP_SYS_ADMIN                        Service has administrator privileges                                        0.3
 +
✗ CapabilityBoundingSet=~CAP_SYS_PTRACE                      Service has ptrace() debugging abilities                                    0.3
 +
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                        0.3
 +
✗ RestrictNamespaces=~CLONE_NEWUSER                          Service may create user namespaces                                          0.3
 +
✗ RestrictAddressFamilies=~…                                  Service may allocate exotic sockets                                          0.3
 +
✗ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP)          Service may change file ownership/access mode/capabilities unrestricted      0.2
 +
✗ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER)        Service may override UNIX file/IPC permission checks                        0.2
 +
           
 +
</source>
 +
 +
=Writing your own systemd services=
 +
*[[systemd service file]] example
 +
==Links==
 +
*See [https://man7.org/linux/man-pages/man7/daemon.7.html man page daemon(7)]
 +
*[https://linuxhandbook.com/create-systemd-services/ Create systemd services]
 +
*[https://www.freedesktop.org/software/systemd/man/latest/systemd.service.html?ref=linuxhandbook.com#Options Systemd.servce - service unit configuration]
 +
*[https://medium.com/@benmorel/creating-a-linux-service-with-systemd-611b5c8b91d6 Creating a Linux service with systemd]
  
 
=Links=
 
=Links=
 +
*https://www.linux.com/training-tutorials/understanding-and-using-systemd/
 +
*https://learning.oreilly.com/library/view/exploring-beaglebone-2nd/9781119533160/c15.xhtml (Godt eksempel)
 
*[https://wiki.debian.org/systemd/Services debian.org Create Service]
 
*[https://wiki.debian.org/systemd/Services debian.org Create Service]
 
*[https://medium.com/@benmorel/creating-a-linux-service-with-systemd-611b5c8b91d6 Eksempel på service lavet i PHP]
 
*[https://medium.com/@benmorel/creating-a-linux-service-with-systemd-611b5c8b91d6 Eksempel på service lavet i PHP]

Latest revision as of 08:17, 11 July 2025

  • Scriptfiles in /lib/systemd/system - See exampels of servicefiles there - add your own new system service:
...:~$ sudo systemd-analyze verify YOUR_SERVICEFILE
...:~$ sudo systemctl daemon-reload
...:~$ sudo systemctl enable YOUR_SERVICEFILE
...:~$ sudo systemctl YOUR_SERICEFILE

Often used

# systemctl start [name.service]
# systemctl stop [name.service]
# systemctl restart [name.service]
# systemctl reload [name.service]
$ systemctl status [name.service]
# systemctl is-active [name.service]
$ systemctl list-units --type service --all
$ systemctl show [name.service]

Dependencies

systemctl list-dependencies

Security

# systemd-analyze security
UNIT                                     EXPOSURE PREDICATE HAPPY
ModemManager.service                          6.2 MEDIUM    😐
accounts-daemon.service                       9.6 UNSAFE    😨
apache2.service                               9.2 UNSAFE    😨
apport.service                                9.6 UNSAFE    😨
atd.service                                   9.6 UNSAFE    😨
cron.service                                  9.6 UNSAFE    😨
dbus.service                                  9.6 UNSAFE    😨
dm-event.service                              9.5 UNSAFE    😨
.....

# systemd-analyze security apache2
  NAME                                                        DESCRIPTION                                                             EXPOSURE
✗ PrivateNetwork=                                             Service has access to the host's network                                     0.5
✗ User=/DynamicUser=                                          Service runs as root user                                                    0.4
✗ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP)                Service may change UID/GID identities/capabilities                           0.3
✗ CapabilityBoundingSet=~CAP_SYS_ADMIN                        Service has administrator privileges                                         0.3
✗ CapabilityBoundingSet=~CAP_SYS_PTRACE                       Service has ptrace() debugging abilities                                     0.3
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                        0.3
✗ RestrictNamespaces=~CLONE_NEWUSER                           Service may create user namespaces                                           0.3
✗ RestrictAddressFamilies=~…                                  Service may allocate exotic sockets                                          0.3
✗ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP)           Service may change file ownership/access mode/capabilities unrestricted      0.2
✗ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER)         Service may override UNIX file/IPC permission checks                         0.2

Writing your own systemd services

Links

Links

Retrieved from "http://mars.merhot.dk/w/index.php?title=Systemd_debian&oldid=41653"